-35- 

CLAIMS: 

1. An apparatus (107) for monitoring and auditing activity of a legacy 
environment, the apparatus comprising: 

an analyzer (303) operative to analyze intercepted packets conveyed by 
5 entities (102, 103, 104) in a network and to generate analyzed data based on 
information associated with at least some of said packets, the analyzed data being 
indicative of sessions; 

a mirror manager (305) responsive to said analyzed data for generating 
data representative of mirror sessions, each mirror session corresponding to a 
10 session; 

an audit event analyzer (307) for processing at least part of said data 
representative of mirror sessions and generating data representative of audit 
events, that include inbound audit events and outbound audit events, said 
outbound audit events including information representative of screens to be 
15 displayed on a terminal; and said inbound audit events including information 
representative of operations performed on a terminal. 

2. The apparatus of Claim 1, wherein the analyzer is operative to analyze 
headers and contents of said intercepted packets. 

3. The method of claim 1 or 2 wherein the audit event analyzer is adapted 
20 to correlating information included in an inbound audit event with information 

included in an outbound audit event, for generating a united audit event. 

4. The apparatus of Claim 1, wherein each one of said audit events is 
respective of operations performed by a user of said legacy environment. 

5. The apparatus of Claim 1, further comprising: 

25 a business event analyzer for processing at least part of said data 

representative of audit events and generating data representative of business 
events. 
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6. The apparatus of Claim 5, further comprising: 

an alerts manager (312) coupled to the business event analyzer and being 
responsive to said data representative of business events for generating alerts. 

7. The apparatus of Claim 6, wherein the alerts manager generates at least 
5 some of the alerts based on predetermined thresholds. 

8. The apparatus of any one of the preceding claims, wherein said entities 
include hosts (103) and terminals (102). 

9. The apparatus of any one of the preceding claims further comprising: 

a first long term storage device (304) for storing at least part of said 
10 analyzed data. 

10. The apparatus of any one of the preceding claims further comprising: 

a second long term storage device (306) for storing at least part of said 
data representative of mirror sessions. 

11. The apparatus of any one of Claims 1 to 9, further comprising: 

15 a compression agent (313) for compressing at least part of the data 

representative of mirror sessions. 

12. The apparatus of claim 10, further comprising: 

a compression agent (313) for compressing at least part of the data 
representative of mirror sessions. 
20 13. The apparatus of Claim 12, wherein the compression agent (313) is 
configured to compress the data representative of mirror sessions before storing 
at least part of them in the second long term storage device. 

14. The apparatus of any one of Claims 1 to 9 and 11, further comprising: 

an encryption agent (314) for encrypting at least part of the data 
25 representative of mirror sessions. 

15. The apparatus of any one of Claims 10, 12 and 13, further comprising: 
an encryption agent (314) for encrypting at least part of the data 

representative of mirror sessions. 
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16. The apparatus of Claim 15, wherein the encryption agent (314) encrypts 
the data representative of mirror sessions before storing at least part of them in 
the second long term storage device. 

17. The apparatus of any one of Claims 1 to 9, 11 and 14, further 
5 comprising: 

a signature agent (315) for digitally signing at least part of the data 
representative of mirror sessions. 

18. The apparatus of any one of Claims 10, 12, 13, 15 and 16, further 
comprising: 

10 a signature agent (315) for digitally signing at least part of the data 

representative of mirror sessions. 

19. The apparatus of Claim 18, wherein the signature agent (315) signs the 
data representative of mirror sessions before storing at least part of them in the 
second long term storage device. 

1 5 20. A method for monitoring and auditing activity of a legacy environment, 
the method comprising: 

analyzing (202) intercepted packets conveyed by entities in a network; 
generating (203) analyzed data based on information associated with at 
least some of said packets, the analyzed data being indicative of sessions; and 
20 responsive to said analyzed data generating (204) in respect of each one 

of one or more of said sessions data representative of a mirror session, each 
mirror session corresponds to a session; and 

processing at least part of said data representative of mirror sessions and 
generating (206) data representative of audit events that include inbound audit 
25 events and outbound audit events; said outbound audit events including informa- 
tion representative of screens displayable on a terminal; and said inbound audit 
events including information representative of operations performed on a 
terminal. 

21. The method of Claim 20, wherein analyzing intercepted packets includes 
30 analyzing headers and contents of said packets. 
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22. The method of claim 20, further including: 

correlating information included in an inbound audit event with 
information included in an outbound audit event, for generating a united audit 
event. 

5 23. The method of Claim 20 wherein each one of said audit events is 
respective of operations performed by a user of said legacy environment. 
24. The method of Claim 20, further comprising: 

processing at least part of said data representative of audit events and 
generating (207) data representative of business events. 
10 25. The method of Claim 24, further comprising: 

responsive to said data representative of business events generating alerts 
in respect of at least one of said business events. 

26. The method of Claim 25, wherein generating at least some of the alerts is 
based on predetermined thresholds. 
15 27. The method of any one of Claims 20 to 26, further comprising: 

storing (205) at least part of the analyzed data in a first long term storage 

device. 

28. The method of any one of Claims 20 to 27, further comprising: 

storing (208) at least part of the data representative of mirror sessions in 
20 a second long term storage device. 

29. The method of Claims 20 to 27 , further comprising: 

compressing (211) at least part of said data representative of mirror 
sessions. 

30. The method of Claim 28, further comprising: 

25 compressing (211) at least part of said data representative of mirror 

sessions. 

31. The method of Claim 30 wherein compressing (211) the at least part of 
said data representative of mirror sessions is performed before storing (208) at 
least part of them in the second long term storage device. 

30 32. The method of any one of Claims 20 to 27 and 29, further comprising: 
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encrypting (212) at least part of said data representative of mirror 
sessions. 

33. The method of any one of Claims 28, 30 and 3 1 further comprising: 
encrypting (212) at least part of said data representative of mirror 

5 sessions. 

34. The method of Claim 33, wherein the encrypting (212) the at least part of 
said data representative of mirror sessions is performed before storing (208) at 
least part of them in the second long term storage device. 

35. The method of any one of Claims 20 to 27, 29 and 32 further comprising: 
10 digitally signing (213) at least part of said data representative of mirror 

sessions. 

36. The method of any one of Claims 28, 30, 31, 33 and 34 further 
comprising: 

digitally signing (213) at least part of said data representative of mirror 
15 sessions. 

37. The method of Claim 36 wherein the digitally signing (213) the at least 
part of said data representative of mirror sessions is performed before storing 
(208) at least part of them in the second long term storage device. 

38. The method of claim 20 wherein the united audit event is displayable on 
20 a screen. 



